The network is very porous, said Steven, and the IoT will accelerate that trend. “One prime directive is to stop putting fences around things and recognize that communication is the purpose of the devices,” Steven said.
Too often Steven has seen companies very surprised to learn that they have many more attack surfaces than they expected. “If a legacy system encompasses the databases, server, and client, some people believe that they are only dealing with one untrusted connection to the browser.”
The risk for that enterprise is in backups, disaster recovery, incident response and any other outsourced unedited, unencrypted, and unaudited connections.
Paula Musich, research director, NSS Labs said, “Historically, network security has been focused on ports and protocols, and it has relied on the ability to scan network traffic—typically at the perimeter of the enterprise network.”
Included in protecting the network are, “firewalls, intrusion prevention systems (IPS), secure web gateways (SWG), distributed denial-of-service (DDoS) protection, virtual private networks (VPN), and more,” Musich said.
The introduction of context-aware network security, said Musich, “has blurred the lines between network and application security, and the integration of network security appliances and software with endpoint protection has contributed to that blurring. Nevertheless, network security still relies on the ability to scan traffic on the enterprise network.”
Cloud computing and mobile applications have contributed to the crumbling walls of the network perimeter. “Access to cloud-based enterprise applications, and to mobile apps used by workers to collaborate on company business, must still be secured,” Musich said. “Application security, on the other hand, focuses on how the applications operate and looks for anomalies in those operations.”
Application security encompasses web application firewalls, database security, email server security, browser security, and mobile application security, Musich continued. “You could also include static and dynamic testing of application code, although that is more often done on custom enterprise applications before they are released to production,” she said.
Building security into the things we want to protect is critical not only for the future but also for right now. “Connectivity is the value, not a fad,” said Steven, “and the ability to connect and build trust between devices is how they have value.”
Those organizations that continue to focus their resources on network security, though, are not necessarily misguided, said Bill Ledingham, CTO and executive vice president of engineering at Black Duck Software.
“The problem of network security doesn’t go away,” Ledingham said, “other challenges are getting layered on top of that.”
Critical assets outside of the perimeter are vulnerable because of the number of applications and resources exposed during internet access. “You take your laptop on the road, enable them for Internet access, there are other points of vulnerability injected into that overall picture,” Ledingham said.
Sign up for CIO Asia eNewsletters.